Home page logo

bugtraq logo Bugtraq mailing list archives

Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Thu, 13 Jun 2002 18:57:07 +0200

Just a quick heads-up:

MS02-027 cites blocking port 70 as an effective protection against
exploitation of the Gopher buffer overrun in IE / ISA server / MS proxy:

"Most notably, customers who block access to the Gopher protocol (TCP 
 port 70) at the perimeter firewall would be protected against attempts 
 to exploit this vulnerability across the Internet."

This is untrue. Gopher servers can run on any port, e.g.
"gopher://evilhacker.net:1234";, or why not ":80", so don't trust 
blocking port 70 at all. Use the other workarounds instead.

(In fact, in the case of *nix servers, it's even easier for an attacker 
to run the fake gopher server on a high port; this way, he won't even 
need root priviliges.)

Take care,
/Mikael Olsson

Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]